Legal

Privacy Policy

Last updated: April 10, 2026

OparFinance Inc. (“OparFinance”, “we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at oparfinance.com and any related services (collectively, the “Service”).

1. Information We Collect

We collect information you provide directly and information we receive from integrated third-party services.

Account information

When you create an account, we collect your name, email address, company name, and password. If you sign up through OneBase, we receive a shared authentication token and company identifier.

QuickBooks data

When you connect your QuickBooks account, we access your chart of accounts, vendor list, customer list, transaction history, and other financial records via the QuickBooks Online API. This access is read-only by default. We only write data to your QuickBooks account when you explicitly approve a transaction posting or enable auto-posting above a confidence threshold you set.

Bank data via Plaid

If you connect a bank account through Plaid, we receive transaction data, account balances, and account identifiers. We use read-only access. We never initiate transactions, transfers, or payments through Plaid. We do not store your bank login credentials.

Documents and receipts

If you upload or email receipts and bills to OparFinance, we process those documents using optical character recognition (OCR) to extract vendor names, amounts, dates, and line items. Original documents are stored in encrypted cloud storage.

Usage data

We automatically collect information about how you interact with the Service, including pages visited, features used, session duration, browser type, device type, and IP address.

2. How We Use Your Information

  • Provide the Service: Categorize transactions, resolve merchant names, generate health scores, power the Fin AI CFO assistant, and produce reports.
  • Improve accuracy: Analyze aggregated, anonymized patterns across our merchant intelligence database to improve categorization accuracy for all users. Individual financial data is never shared between companies.
  • Communication: Send transactional emails (approvals, alerts, reports), product updates, and, with your consent, marketing communications.
  • Security: Detect and prevent fraud, abuse, and unauthorized access.
  • Compliance: Meet legal obligations, respond to lawful requests, and enforce our Terms of Service.

3. AI Data Processing

OparFinance uses artificial intelligence (powered by Anthropic Claude) to categorize transactions, extract data from documents, generate insights, and power our Fin AI CFO assistant. Here is what you need to know:

  • We do not train AI models on your financial data. Your transactions, documents, and conversations with Fin are used solely to serve you. They are not used to train, fine-tune, or improve any third-party AI models.
  • Transaction data is sent to the Anthropic API for real-time processing. Anthropic's enterprise API terms prohibit them from training on customer data.
  • Our global merchant intelligence database uses anonymized, aggregated merchant name patterns (e.g., “AMZN MKTP” resolves to “Amazon”). No company-specific financial data is included in this database.
  • Every AI-driven action is logged in a full audit trail before it takes effect.

4. Data Sharing

We do not sell your personal information. We share data only with the following categories of service providers, and only to the extent necessary to deliver the Service:

  • Plaid Inc. — to retrieve bank transaction data and account balances via read-only API access.
  • Intuit (QuickBooks) — to read and, upon your approval, write financial data to your QuickBooks account.
  • Anthropic — to process transactions through the Claude AI API for categorization, extraction, and conversational responses.
  • Stripe — to process subscription payments. Stripe receives your payment card information directly; we never see or store your full card number.
  • Google Cloud — for OCR processing of uploaded receipts and bills via the Google Vision API.
  • Supabase — for database hosting, authentication, file storage, and secrets encryption (Vault).
  • Vercel — for application hosting and edge delivery.

We may also disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of OparFinance, our users, or others.

5. Data Security

We implement industry-standard security measures to protect your data:

  • All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
  • QuickBooks and Plaid API tokens are encrypted using Supabase Vault and are never stored in plaintext, environment variables at runtime, or application logs.
  • Multi-tenant data isolation is enforced at the database level with row-level security (RLS). Every query is scoped to the authenticated company.
  • We conduct regular security assessments and are pursuing SOC 2 Type II certification.

6. Data Retention

We retain your account data and financial data for as long as your account is active or as needed to provide the Service. If you delete your account, we will delete your data within 30 days, except where retention is required by law (e.g., tax records, audit logs). Audit logs are retained for 7 years to meet regulatory requirements.

7. Your Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request that we delete the personal information we have collected from you, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt-Out: We do not sell personal information. We do not use personal information for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, contact us at privacy@oparfinance.com. We will respond within 45 days as required by law.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will delete that information promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

10. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: